Thursday, June 07, 2012

The use case for #OpenID indicated by the #LinkedIn hack

LinkedIn was hacked; all the passwords in use a few days ago are no longer secret. The advice people get is to change their password everywhere where they use the same password.

This blog post is not about LinkedIn. It is about the lack of security provided by passwords as seen from a user point of view. Any organisation that thinks it can not happen to them is delusional. From a user point of view, any website that wants you to create a user with a password that is maintained on that website is a potential security risk. A risk you are exposed to because any site can be hacked and, you do not remember passwords that are unique to each website.

For a user, it is more secure to rely on one place where all the authentication to any website is done. The advantage becomes clear when a website is hacked; there is no password for you to abuse. When the authentication server is hacked, all that is required is to change the password at that central server.

LinkedIn was compromised and as a result many people with a Wikimedia account have an account that is compromised as well. Many of these people will not change their password because they cannot be bothered or because they are not aware of the risk.

As a consequence disruption by "trusted users" is a potential and realistic scenario. This risk can be mitigated by accepting the use of authentication through an OpenID service.
Thanks,
GerardM